On Monday, the Nomad cross-chain token bridge was attacked and the attackers essentially drained the protocol of all its cash. Nearly $200 million worth of cryptocurrencies were lost as a result of the hack.
Like other cross-chain bridges, Nomad allows users to transfer tokens back and forth between multiple blockchains. Monday’s attack is the latest in a series of widely reported incidents that have raised concerns about the safety of chain-linked bridges.
According to the DeFi monitoring platform DeFi Llamaalmost all of the bridge’s $200 million in cryptocurrency has been taken, leaving only $651.54 in the wallet.
Nomad then later claimed that some of the money had been siphoned off by “white hat friends” who did it to protect them.
So, how did that happen?
Bridges typically work by reissuing tokens in a “wrapped” form on a different chain after locking them into a smart contract on a network. Wrapped tokens lose their support if the smart contract they were originally deposited into is compromised. This was the case with Nomad, making them worthless.
Researcher at cryptocurrency investment firm Paradigm, @samczsun, explained on Twitter that a recent change to one of Nomad’s smart contracts made it easier for users to fake transactions. Nomad Bridge can therefore be used by users to withdraw money that was not actually theirs.
The Nomad attack was a free-for-all, unlike some bridge attacks where a single attacker is responsible for all the vulnerability.
11/ This is why the hack was so messy – you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, then rebroadcast it
— samczsun (@samczsun) August 2, 2022
The incident had WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), GeroWallet (GERO) , Card Starter (CARDS), Saddle DAO (SDL) and Charli3 (C3) tokens being drained from the bridge.
Beware of imitators!
After learning about the issue, Nomad informed its users about it. In addition, the company warned users to beware of scammers. Nomad he tweeted
“We are aware of impersonators posing as Nomad and providing fraudulent addresses to collect money. We do not yet provide instructions on returning bridge funds. Ignore messages from all channels except Nomad’s official channel.
The MoonBeam network has been effectively put on hold while the team investigates. As a result, interactions between smart contracts and regular transactions using MoonBeam will no longer be possible.
At least one person has publicly stated his intention to pose as a white hat hacker who will restore the funds that have been removed from the bridge so far. In fact, Nomad was contacted by one user who tweeted,
“It’s a white hack, I guess. I will give the money back.”
More and more attacks on bridges
Bridge attacks have increased in frequency in recent months as cryptocurrency users have shown a greater desire to transfer funds between various blockchains.
While cross-bridges have enabled the proliferation of fledgling blockchains, bridge failures can be devastating for smaller chains that depend on them for a significant portion of their overall liquidity.
One of Nomad’s newest blockchains, Evmos, he tweeted also reacted to the incident. He claimed that the Nomad episode “severely damages the original Eumo [total value locked]’, and would be ‘brainstorming community solutions’.